#1 2022-08-07 21:00:57

tbo
Member
Registered: 2015-04-20
Posts: 353

Problem with function AuthSessionRelease()

I want to log out of a WebApp with this URL:

http://localhost:8080/Files/Auth?userName=test&session=298123

Status code 400 is returned. The problem is in function AuthSessionRelease:

function TRestServerAuthentication.AuthSessionRelease(Ctxt: TRestServerUriContext): boolean;
...
  result := true; // recognized GET ModelRoot/auth?UserName=...&Session=...
  // allow only to delete its own session - ticket [7723fa7ebd]
  if sessid = Ctxt.Session then

I can't find the place in the TRestServerUriContext class where Session is assigned a proper value. Since Session always has the value CONST_AUTHENTICATION_SESSION_NOT_STARTED or CONST_AUTHENTICATION_NOT_USED,
the function LockedSessionDelete() is never executed. If I comment out the if condition (sessid = Ctxt.Session), the status code is 200 as expected.

With best regards
Thomas

Offline

#2 2022-08-07 21:10:53

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Problem with function AuthSessionRelease()

Your URL is not signed, so no session is associated with this call, so it is refused - as expected.
Otherwise anyone could delete the session of other peoples!

You need to sign the URI with a proper session signature to be able to delete this very same session - and only this one.

Offline

#3 2022-08-07 21:26:09

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Problem with function AuthSessionRelease()

ab wrote:

Your URL is not signed, so no session is associated with this call, so it is refused - as expected.

Yes, my URL is signed, I just didn't copy it into the post:

http://localhost:8080/Files/Auth?userName=test&session=628367&session_signature=0009968f

The function for TMS WebCore looks like this:

procedure TCustomRestServerAuthentication.Quit;
var
  req: TJSXmlHttpRequest;
  reqUrl: String;
begin
  asm
    var url = new URL(this.FBaseUrl);
    url.searchParams.append('userName', this.FUserName);
    url.searchParams.append('session', this.FSessionID);
    reqUrl = url.toString();
  end;

  reqUrl := UrlAddSessionSignature(reqUrl);

  FillSessionZero;
  req := TJSXmlHttpRequest.new;
  req.addEventListener('load', @DoRequestSessionHandleInfo);
  req.open('GET', reqUrl);
  req.send;
end;

I should also mention that it's for this:

AuthenticationRegister(TRestServerAuthenticationNone);

With best regards
Thomas

Offline

#4 2022-08-08 22:23:40

tbo
Member
Registered: 2015-04-20
Posts: 353

Re: Problem with function AuthSessionRelease()

The problem exists! In function Authenticate() there is this break condition.

function TRestServerUriContext.Authenticate: boolean;
...
  fSession := CONST_AUTHENTICATION_SESSION_NOT_STARTED;
  if // /auth + /timestamp are e.g. allowed methods without signature
     ((MethodIndex >= 0) and
      Server.fPublishedMethod[MethodIndex].ByPassAuthentication) or
     ...
    exit;
  ...
      repeat
        s := a^.RetrieveSession(self);

Function ServiceMethodByPassAuthentication('Auth') is called in RestServer constructor. Therefore, the function RetrieveSession() is never called and another value for fSession never assigned. In function AuthSessionRelease(), the if condition cannot be reached (Ctxt.Session is always 0).

function TRestServerAuthentication.AuthSessionRelease(
  Ctxt: TRestServerUriContext): boolean;
...
  // allow only to delete its own session - ticket [7723fa7ebd]
  if sessid = Ctxt.Session then
  begin

So, a session cannot be closed manually.

With best regards
Thomas

Offline

#5 2022-08-09 11:44:31

ab
Administrator
From: France
Registered: 2010-06-21
Posts: 14,661
Website

Re: Problem with function AuthSessionRelease()

You are perfectly right.

Thanks to your debugging attempt and information, I guess it should be fixed now with
https://github.com/synopse/mORMot2/commit/ef5f6409

Sorry for the issue.

Offline

Board footer

Powered by FluxBB